Your message dated Fri, 19 Feb 2021 10:03:34 +0000 with message-id <e1ld2dk-000fmb...@fasolo.debian.org> and subject line Bug#983090: fixed in python-django 2:3.2~alpha1-2 has caused the Debian Bug report #983090, regarding python-django: CVE-2021-23336 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 983090: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=983090 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: python-django Version: 1:1.10.7-2+deb9u10 X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerability was published for python-django. CVE-2021-23336[0]: | The package python/cpython from 0 and before 3.6.13, from 3.7.0 and | before 3.7.10, from 3.8.0 and before 3.8.8, from 3.9.0 and before | 3.9.2 are vulnerable to Web Cache Poisoning via urllib.parse.parse_qsl | and urllib.parse.parse_qs by using a vector called parameter cloaking. | When the attacker can separate query parameters using a semicolon (;), | they can cause a difference in the interpretation of the request | between the proxy (running with default configuration) and the server. | This can result in malicious requests being cached as completely safe | ones, as the proxy would usually not see the semicolon as a separator, | and therefore would not include it in a cache key of an unkeyed | parameter. Django is vulnerable because it embeds parse_qsl: https://www.djangoproject.com/weblog/2021/feb/19/security-releases/ If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2021-23336 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23336 Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org / chris-lamb.co.uk `-
--- End Message ---
--- Begin Message ---Source: python-django Source-Version: 2:3.2~alpha1-2 Done: Chris Lamb <la...@debian.org> We believe that the bug you reported is fixed in the latest version of python-django, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 983...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Chris Lamb <la...@debian.org> (supplier of updated python-django package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Fri, 19 Feb 2021 09:28:42 +0000 Source: python-django Built-For-Profiles: nocheck Architecture: source Version: 2:3.2~alpha1-2 Distribution: experimental Urgency: medium Maintainer: Debian Python Team <team+pyt...@tracker.debian.org> Changed-By: Chris Lamb <la...@debian.org> Closes: 983090 Changes: python-django (2:3.2~alpha1-2) experimental; urgency=medium . * Apply security fix from upstream: . - CVE-2021-23336: Prevent a web cache poisoning attack via "parameter cloaking". Django contains a copy of urllib.parse.parse_qsl() which was added to backport some security fixes. A further security fix has been issued recently such that parse_qsl() no longer allows using ";" as a query parameter separator by default. (Closes: #983090) . <https://www.djangoproject.com/weblog/2021/feb/19/security-releases/> Checksums-Sha1: e807b721ebc192de3c9c7ae4d5289533092862fe 2814 python-django_3.2~alpha1-2.dsc 51b92238279b46b5948556f4280ba10a77f54b5b 28360 python-django_3.2~alpha1-2.debian.tar.xz 2f029f6f8244faabb48d1b1b03b69f49d9f9e38b 7611 python-django_3.2~alpha1-2_amd64.buildinfo Checksums-Sha256: c32f5b7a3d861aca6e935ecc02a2db0497e8fd0fa9b12c1c8d43e853edb80aec 2814 python-django_3.2~alpha1-2.dsc 7158eefe5367bf170904493f91acdd37866dbd3745e12486c49241d0ece45899 28360 python-django_3.2~alpha1-2.debian.tar.xz cf8d300bc0eab25980df8fd99ec03ffaab24dc9faf68d4823a281febedc06d2e 7611 python-django_3.2~alpha1-2_amd64.buildinfo Files: 2b2b65ad997b72f571725b7211e14064 2814 python optional python-django_3.2~alpha1-2.dsc 5ca2bea87748e0cb88ba791cceff7153 28360 python optional python-django_3.2~alpha1-2.debian.tar.xz 8228ddf87d0fa659fba78634782e6292 7611 python optional python-django_3.2~alpha1-2_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmAviJoACgkQHpU+J9Qx HlgUOw/9EMUZJygxSWfozLJpz2XVecrB9iE15D2ICLz0/28qPtYPl2NcAtdlBCwZ CdWTdd7cV9LTTi1HvPIhaV0RsCGqrlmVJpNvDdXiqHLpXqC+TD5GwEhM488iCcPa cOC6PntgNbteAZMuW985Z0riQ+C5K8C5y6A7yjCqLd+pr+YL+NWJN9OD4sxLGPUn aUhwEsYyPftIrSog7prlOTYYgz1ae+curPjt6kMVPvDnpf/E2g9+G/Cb0sJt5/yO yV723SF5OCFYGTUN6tqvkbfl0WMNqrx1i0w+6hSgXjdnoP8zz6D1gcBQDvuDsoH9 Y1PGeBH9RmWJ3URB/S2mf69at+wGCkE8BaqbTac7ZM6Az6qS6Pj+8du84NXkNNn2 cOJeDFmXP/CaxH/rxJ9UluGWmrX8lWIpJt0tP+IbKfUJ8ERnJnjM48dI1aZU5Wnj IxdhsWNwJDN5YLiYPlq2nvOSMSj/CiRX0FWmgPd0iZQ2pdSusnJ19GRW56VVevCV PD3p6BLPuqa5Ueqki4ZbFW8Fq+o3uLGPLnHyvfn27UvJ6emOusvYVG9gwr3RP+fx bMB4aJ07MDpxnCJVOBih0LVv78rYojQ8Lz8pIluPA0rT59hDh6aRoVFhjTgQ9vLO YisiURN8ABkN9B7PxENBTxoo+e83f4NPcZEqE67S/X3Qh33bBeU= =Nqm4 -----END PGP SIGNATURE-----
--- End Message ---
